We Got Hacked – And How We Fixed It

This Sunday morning, Slashpix IMed me on gtalk about a shocking thing that happened to my blog. He asked “What’s up with your site?”, with enough curiosity I checked out my blog and wow – this just scared the heck out of me:

Parking Page of Carl Ocab dot com

In the hopes of just a web host slip, I checked every domain on the same hosting account. Eight of them were taken down and all under the name of my dad. Namely carlocab.com and grandstart.com.

I paused for a moment and logged in on MSN to find guys whom I can chat with and get help because this is the first site hackage I encountered. Three people started IMing me and asked about the parking page. One of them was my buddy XMCP who gladly helped me and gave me useful advices on what to do.

After a few minutes, I chatted with Host Gator and asked them why that page was showing up. It took them about 10 minutes to give me a solution – that didn’t work.

They told me that the domains were removed as an addon on cpanel. They said I should install them back, but it seems like I can’t because it’s already added on another account.

The funny thing was, the nameservers was not changed at all. The hacker might have used another host gator account with the same nameserver to put that ugly landing page on my domain. This gave me time to breathe, no files were removed, no files lost so no worries. I just have to nail this hacker and this thing is solved.

After a few IMs with XMCP, he told me to call Host Gator to get more live help and track down the hacker. I told my dad about the situation then he called HG. Again, it took the support 10 minutes to answer the problem and gave my dad a link to a site restore page where we should pay $15 per domain to restore the site.

Actually, if we did pay that it would cost us $120 without getting the problem fixed.

I thought of a quick solution to fix this in less than 24 hours, (I can’t manage to wait for Host Gator to answer or fix this, it’ll take weeks probably) so Google won’t notice the parked site and I won’t lose all of my rankings within the day.

Carl Ocab Dot Com Rebirth

If someone was using it as an addon on Host Gator then I can probably get away with it by changing the nameserver and switching to a new host. I packed away all the WP stuff and look for a more secure hosting plan.

There comes Media Temple. One of the biggest folks in the web hosting world. They hosted sites like ABC news, Nike, Adidas and even Adobe. It didn’t gave me a second thought. I then purchased their Grid-Service package and after 5 minutes, all was set in place!

I switch the nameservers of all hacked sites to Media Temple’s and got it working within an hour. Special thanks to Charles Lau’s post on how to transfer WordPress to another server. It helped me transfer my blog with ease.

Lesson Learned

After a tiring day, I didn’t have any choice but to learn from what happened.

Never, ever be cheap when buying your web host. Always take the first class because it’s the life of your artwork. It’s the dirt that makes your tree grow. Back up files regularly too.

Personal Or Just A Security Hole?

When we got to church this morning, it kept me thinking if this was intentionally done to us or it was just a cpanel security hole like what happened last year. What do you think?

Comments

Carl, I just tried to subscribe to your blog, and discovered that somehow the RSS sign up process is trying to subscribe me to ProBlogging, not your blog. [As it turns out, I’m already subscribed to that one already.]

I’ll try to keep up with your very interesting venture, esp since I spend half of each year in the Philippines. Perhaps I’ll take some of the information from my blog for writers and do a post for you, leading your readers to excellent FREE software for writers.

I’d say it was probably a more targeted attack. If he was using a mainstream host that just so happens to be yours, there’s a low chance of it being a mass scan. If someone were to scan for vulnerabilities, it would not be cost-effective to buy a hosting account at each host where there is someone vulnerable. Especially since many of the accounts would be canceled quite quickly.

I’m so happy that your site is now back online.. Yeah, I was wondering what happened to your site yesterday.. Anyway, thanks to your free- e-book, very informative indeed.. Happy New Year to you and to your dad..

Hi Carl,
I really understand what you might have gone through. I once had the same experience with you and lost all my traffic. Just trying to rebuild the traffic back now. Anyway, it is good to move on with the lessons.

Oh… I’m glad your site was restored. I don’t know what will I do if that thing happens to me (in reality it won’t happen to me because I don’t have hosting I just use blogger). But anyway also glad you didnt lose your rankings

Sorry for the misunderstanding but the reason I said that is because you said it yourself that it could have just been a cpanel security hole. I didn’t mean to sound like I thought that you did that to yourself. :)

@Ade: It’s not a hostgator problem; it’s a shared hosting problem.
You transfer a domain to their DNS, and then add it on. But WHOEVER adds it on first gets it. There’s no way to verify your claim.
So all this guy did was break into cpanel to remove the addon domain, then add it on his own account.

Sorry for the misunderstanding. I read the part wrong where you said “if this was intentionally done to us or it was just a cpanel security hole”. When I said that if this was really done by a hacker, that was because I was taking into account the cpanel security hole (which I thought was something done by your web host). Anyway, I got it now. :)

Hey Carl. I noticed you site was parked when I typed it in. I then did a double take and said “what?” . I typed it in again and it was still parked. I then googled “make money online” and clicked you link and it was still parked. Good to know you got everything back up. I hope you catch the guy and best of luck with your new host. In my blog I discuss computer issues and how to protect yourself.

I believe that crackers find these breaches with search engines (or they are malicious users of the service they intend to hack) so they are familiar with the vulnerability. They then use a known method of exploitation. Its important to get a diligent host who take security seriously.

I have dealt with MT and have to say, they are a better professional host than most. If I didn’t need a reseller I would be with Media Temple for sure.

I hope you reset your password to something around 20 characters, alpha numeric with 5 or 6 characters. This way, crackers will not be able to get your password cracked without a very complex computer.

Ya know, I’ve always seen your website “Carlocab.com” come up on the search engines when I’m doing SEO research. I’m usually to busy to investigate and/or stop by, but I did today and I’m a bit fond of what I found. I like the site. I’m just glad I decided to come on a day when your site is actually up and running. Interesting topic here.